1790837 – firewalld logs many messages "WARNING: COMMAND_FAILED" during Live migrate any VM

Bug 1790837 - firewalld logs many messages "WARNING: COMMAND_FAILED" during Live migrate any VM

Summary: firewalld logs many messages "WARNING: COMMAND_FAILED" during Live migrate an...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	8.4
Assignee:	Laine Stump
QA Contact:	yalzhang@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1897025
TreeView+	depends on / blocked

Reported:	2020-01-14 11:19 UTC by Juan Orti
Modified:	2023-12-15 17:10 UTC (History)
CC List:	27 users (show)
Fixed In Version:	libvirt-6.10.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-25 06:41:21 UTC
Type:	Bug
Target Upstream Version:	6.10.0
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	4733121	0	None	None	None	2020-01-14 11:19:32 UTC

Description Juan Orti 2020-01-14 11:19:33 UTC

Description of problem:
firewalld logs many messages of the type:

firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0' failed: Illegal target name 'libvirt-J-vnet0'.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0' failed: Illegal target name 'libvirt-P-vnet0'.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist.
firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: goto 'FO-vnet0' is not a chain

Version-Release number of selected component (if applicable):
firewalld-0.6.3-2.el7_7.2.noarch
rhvh-4.3.7.1
vdsm-4.30.38-1.el7ev.x86_64
kernel-3.10.0-1062.9.1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. In a RHVH 4.3 host in a firewalld cluster type, check the firewalld logs:

# journalctl -b -u firewalld

Actual results:
Many warnings, but everything is working as expected and the iptables rules are configured

Expected results:
If possible, it would be ideal to not have these warnings.

Additional info:

Comment 1 cshao 2020-01-15 06:13:36 UTC

Test version:
rhvh-4.3.7.1-0.20191211.0+1
firewalld-0.6.3-2.el7_7.2.noarch
vdsm-4.30.38-1.el7ev.x86_64
kernel-3.10.0-1062.9.1.el7.x86_64

Test steps:
1. In a RHVH 4.3 host 
2. Register RHVH to engine with firewalld cluster type.
3. Contact nfs storage.
4. Create VM.
5. Check the firewalld logs:

# journalctl -b -u firewalld
-- Logs begin at Wed 2020-01-15 05:41:00 UTC, end at Wed 2020-01-15 06:10:01 UTC. --
Jan 15 05:41:09 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 15 05:41:10 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.

I can't reproduce this issue, is there other step?

Thanks.

Comment 2 Klaas Demter 2020-01-15 07:35:09 UTC

I am seeing those messages as well, not on rhvh but on rhel + rhv hypervisor.
I see them when migrating VMs to the hypervisor.

Comment 3 Juan Orti 2020-01-15 08:24:48 UTC

Ok, yes, the messages appear when live migrating VMs in or out of a host.

Test steps:
1. Have a cluster of 2 RHVH 4.3 hosts. Cluster of type firewalld.
2. Live migrate HostedEngine to one host, in this case rhvh43-01
3. Check the journal in the moment of the migration:

# journalctl -b -u firewalld -u vdsmd
ene 15 09:08:58 rhvh43-01.laptop.lab vdsm[3894]: WARN ping was deprecated in favor of ping2 and confirmConnectivity
ene 15 09:08:59 rhvh43-01.laptop.lab vdsm[3894]: WARN Attempting to add an existing net user: ovirtmgmt/991baeb2-30b5-4be4-935e-5bb3950438d7
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0' failed: Illegal target name 'libvirt-J-vnet0'.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0' failed: Illegal target name 'libvirt-P-vnet0'.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: goto 'FO-vnet0' is not a c
                                                      
                                                      Try `iptables -h' or 'iptables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: goto 'FO-vnet0' is not a chain
                                                      
                                                      Try `iptables -h' or 'iptables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: iptables v1.4.21: goto 'FI-vnet0' is not a chain
                                                      
                                                      Try `iptables -h' or 'iptables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: iptables v1.4.21: goto 'HI-vnet0' is not a chain
                                                      
                                                      Try `iptables -h' or 'iptables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FO-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FO-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FI-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FI-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F HI-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X HI-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FP-vnet0 FO-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FJ-vnet0 FI-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E HJ-vnet0 HI-vnet0' failed: iptables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed: ip6tables v1.4.21: goto 'FO-vnet0' is not a
                                                      
                                                      Try `ip6tables -h' or 'ip6tables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: ip6tables v1.4.21: goto 'FO-vnet0' is not a chain
                                                      
                                                      Try `ip6tables -h' or 'ip6tables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: ip6tables v1.4.21: goto 'FI-vnet0' is not a chain
                                                      
                                                      Try `ip6tables -h' or 'ip6tables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: ip6tables v1.4.21: goto 'HI-vnet0' is not a chain
                                                      
                                                      Try `ip6tables -h' or 'ip6tables --help' for more information.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FO-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FO-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FI-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FI-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F HI-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X HI-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -E FP-vnet0 FO-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -E FJ-vnet0 FI-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -E HJ-vnet0 HI-vnet0' failed: ip6tables: No chain/target/match by that name.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0' failed: Illegal target name 'libvirt-I-vnet0'.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0' failed: Illegal target name 'libvirt-O-vnet0'.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-I-vnet0' failed: Chain 'libvirt-I-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-I-vnet0' failed: Chain 'libvirt-I-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-O-vnet0' failed: Chain 'libvirt-O-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-O-vnet0' failed: Chain 'libvirt-O-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F I-vnet0-mac' failed: Chain 'I-vnet0-mac' doesn't exist.
ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X I-vnet0-mac' failed: Chain 'I-vnet0-mac' doesn't exist.
ene 15 09:09:01 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F I-vnet0-arp-mac' failed: Chain 'I-vnet0-arp-mac' doesn't exist.
ene 15 09:09:01 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X I-vnet0-arp-mac' failed: Chain 'I-vnet0-arp-mac' doesn't exist.

Comment 4 cshao 2020-01-15 10:33:52 UTC

Move to weiwang due to this bug is occurred by Live migrate HostedEngine according #c3 step2

Comment 5 Klaas Demter 2020-01-15 12:48:23 UTC

Hi,
this happens on every VM, not just the hosted engine.

Greetings
Klaas

Comment 6 cshao 2020-01-16 04:10:06 UTC

(In reply to Klaas Demter from comment #5)
> Hi,
> this happens on every VM, not just the hosted engine.
> 
> Greetings
> Klaas

I still can't reproduce this issue with regular Live migrate without hosted engine.

Comment 7 cshao 2020-01-16 04:59:17 UTC

Let's try with Live migrate HostedEngine to see the result, will update ASAP.

Comment 8 Wei Wang 2020-01-16 07:45:19 UTC

Test Version
rhvh-4.3.7.1-0.20191211.0
firewalld-0.6.3-2.el7_7.2.noarch
vdsm-4.30.38-1.el7ev.x86_64
kernel-3.10.0-1062.9.1.el7.x86_64

Test Steps:
1. Install two host with rhvh-4.3.7.1-0.20191211.0
2. Register Host1 to RHVM with firewalld cluster type
3. Create vm(RHEL-7.7) on host1
4. Register host2 to RHVM with the same cluster during step 3
5. "#journalctl -b -u firewalld" in host2

Result:
Many warnings in firewalld logs
[root@hp-dl388g9-04 ~]# journalctl -b -u firewalld
-- Logs begin at Thu 2020-01-16 11:54:28 CST, end at Thu 2020-01-16 15:31:18 CST. --
Jan 16 11:54:37 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 16 11:54:38 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0' failed: Illegal target name 'lib
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0' failed: Illegal target name 'li
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed:
                                                                       
                                                                       Try `iptables -h' or 'iptables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: go
                                                                       
                                                                       Try `iptables -h' or 'iptables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: iptables v1.4.21: goto
                                                                       
                                                                       Try `iptables -h' or 'iptables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: iptables v1.4.21:
                                                                       
                                                                       Try `iptables -h' or 'iptables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FO-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FO-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FI-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FI-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F HI-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X HI-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FP-vnet0 FO-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FJ-vnet0 FI-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E HJ-vnet0 HI-vnet0' failed: iptables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed
                                                                       
                                                                       Try `ip6tables -h' or 'ip6tables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: ip6tables v1.4.21: 
                                                                       
                                                                       Try `ip6tables -h' or 'ip6tables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: ip6tables v1.4.21: go
                                                                       
                                                                       Try `ip6tables -h' or 'ip6tables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: ip6tables v1.4.2
                                                                       
                                                                       Try `ip6tables -h' or 'ip6tables --help' for more information.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FO-vnet0' failed: ip6tables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FO-vnet0' failed: ip6tables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FI-vnet0' failed: ip6tables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FI-vnet0' failed: ip6tables: No chain/target/match by that name.
Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F HI-vnet0' failed: ip6tables: No chain/target/match by that name.

QE can reproduce this issue, without migration and HostedEngine environment.

cshao,
It is not related to hosted engine, so moving this bug back to you.

Comment 9 cshao 2020-01-16 09:45:39 UTC

Thanks weiwang.

Comment 10 Sandro Bonazzola 2020-01-21 08:53:49 UTC

Not sure if infra or network. It reproduces on any RHEL host too.

Comment 12 Jaroslav Suchanek 2020-02-20 14:52:43 UTC

Laine, can you please have a  look? Do you consider this as libvirt isssue worth addressing in rhel-7? Thanks.

Comment 13 Daniel Berrangé 2020-02-21 11:05:18 UTC

I can't see us addressing this in RHEL-7 as it would be quite a risky change. IIRC, we have an equiv bug against RHEL-8 already, and even there it will be tricky to address.

Comment 14 Laine Stump 2020-02-21 15:54:21 UTC

Yeah, the problem is that we need "catch-all" code that will remove any and all stray rules that may have been left over from some previous shenanigans, and (in RHEL7) all of our rules are on the standard chains so they need to be removed individually, and each attempt to remove a rule that doesn't exist results in a warning log from firewalld. The choice, then, is to either check for the presence of each rule before removing it (meaning that it will take up to 2x as long to complete the operation) or toi suppress the warning logs in firewalld, but firewalld doesn't provide any way to do that and has said in the past that they don't want to provide it.

In RHEL8 it maybe be possible to take advantage of the fact that libvirt iptables rules are all on private chains used only by us (so possibly we could do a mass delete before re-adding) but even that probably won't eliminate 100% of the warnings

Comment 16 Francesco Ratto 2020-10-30 08:38:24 UTC

Hi

The bug was open almost 10 months ago nonetheless is still in status open 
Even if the bug is not causing disruption is white noise which can trigger alarms etc
Can someone pls take care 

 thanks

 Francesco

Comment 23 Laine Stump 2020-11-15 18:01:50 UTC

Dan pointed out to me in IRC the other day that calling iptables directly rather than via firewalld will eliminate these extra messages (since it's firewalld that is logging them), and that's something we'd already talked about doing  (because in the end there is no gain for going through firewalld in this case). I'm working on that now.

Comment 27 Laine Stump 2020-11-21 04:02:28 UTC

Note that the current state of affairs is that when firewalld is enabled, libvirt uses dbus to call firewalld, and firewalld then execs iptables with the arguments sent by libvirt - it doesn't gather information from the arguments from libvirt, and doesn't take any other action. *Except* that if the exec of iptables returns an error, firewalld will log whatever came in on stderr from iptables to the system journal, and then return an error code to libvirt.

If firewalld is disabled (whether or not the iptables service is enabled) then libvirt execs iptables directly, stderr from the iptables command goes back to libvirt. The result will be that the same rules are loaded, but libvirt is free to ignore the error and discard the stderr output.

Whether or not the iptables.service is enabled doesn't make any difference - afaik that service just loads some rules each time it is started, and does nothing else.

Comment 28 Laine Stump 2020-11-24 20:07:26 UTC

I've pushed patches to upstream to switch libvirt to directly running iptables/ebtables rather than going through firewalld, as mentioned in Comment 23. This eliminates the extraneous log messages from firewalld. This change will be included in upstream libvirt-6.10.0.

commit e66451f685e29ffe4be5a060ef64b19961ad4bb5
Author: Laine Stump <laine>
Date:   Mon Nov 16 19:20:53 2020 -0500

    util/tests: enable locking on iptables/ebtables commandlines in unit tests
    
ommit 0a867cd895f06134d24eb27070285bb4b50c088f
Author: Laine Stump <laine>
Date:   Mon Nov 16 20:02:43 2020 -0500

    util/tests: enable locking on iptables/ebtables commandlines by default
    
commit e9693502fb63ce5ddd07d2599daddc563c422eed
Author: Laine Stump <laine>
Date:   Tue Nov 17 13:51:45 2020 -0500

    tests: fix iptables test case commandline options in virfirewalltest.c
    
commit c102bbd3efc358fb44fa2bb37fb0bcbeaaab72a5
Author: Laine Stump <laine>
Date:   Mon Nov 23 09:48:29 2020 -0500

    network: be more verbose about the reason for a firewall reload
    
commit 56dd128bd06c38fab4256a098124d47d803e919a
Author: Laine Stump <laine>
Date:   Mon Nov 16 20:17:05 2020 -0500

    util: always check for ebtables/iptables binaries, even when using firewalld
    
commit 070690538a1ed301b004c542d94b13ee9bffc9d6
Author: Laine Stump <laine>
Date:   Mon Nov 23 14:39:40 2020 -0500

    util: synchronize with firewalld before we start calling iptables directly
    
commit b19863640d10b47b7c4a7cbadb21f196d61d96a2
Author: Laine Stump <laine>
Date:   Tue Nov 17 10:55:12 2020 -0500

    util: call iptables directly rather than via firewalld

Comment 29 yalzhang@redhat.com 2020-12-15 08:25:43 UTC

Reproduce the bug by:

1. Start the libvirtd while the firewalld is active;
2. start a vm with interface connected to default network and set with nwfilter;
3. restart firewalld;
4. check the logs by "# journalctl -b -u firewalld", there will be brunch of firewalld warnings;

update libvirt to libvirt-6.10.0-1.module+el8.4.0+8898+a84e86e1.x86_64, and test with above steps, no such firewalld warning any more. The bug is fixed.

Comment 35 yalzhang@redhat.com 2020-12-18 05:38:46 UTC

1. restart libvirtd while firewalld is active;
2. start a vm with interface as below:
<interface type='network'>
      <mac address='52:54:00:66:27:f8'/>
      <source network='default' portid='0d30e838-677d-4614-8cd6-87f6078267cd' bridge='virbr0'/>
      <target dev='vnet0'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
3. save the rules:
# iptables-save > ipv4.before
# ip6tables-save > ipv6.before
# ebtables -t nat -L  > ebtables.before
 
4. # systemctl restart firewalld
# iptables-save > ipv4.after
# ip6tables-save > ipv6.after
# ebtables -t nat -L  > ebtables.after
compare the rules, there are no difference.

5. # journalctl -b -u firewalld 
# (no warnings as in comment 0)

6. check the libvirt zone info:
# firewall-cmd --info-zone libvirt
libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources: 
  services: dhcp dhcpv6 dns ssh tftp
  ports: 
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule priority="32767" reject

Comment 40 errata-xmlrpc 2021-05-25 06:41:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2098

Note You need to log in before you can comment on or make changes to this bug.

berrange
chhu
cshao
ddepaula
dyuan
fjin
fratto
jdenemar
jen
jsuchane
klaas
laine
lmen
lsvaty
mavital
mkalinin
mtessun
peyu
qiyuan
sbonazzo
sfroemer
shlei
virt-maint
weiwang
xuzhang
yaniwang
ymankad